MPLS: What is SVTI Virtual Tunnel Interface? How to configure IPsec Static virtual tunnel?

The virtual tunnel is also called native IPsec, VTI does the same job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows to configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel.

There are two types of VTI (Virtual Tunnel Interface)

1. Static Virtual Tunnel Interface

2. Dynamic Virtual Tunnel Interface

configuration for SVTI is very simple we do not need to define interesting (ACL) traffic. configuration same just like we configure GRE with IPsec but with a small difference, we have to define the tunnel mode.

let's see the topology:-https://youtu.be/b3wNC8mAI9E?si=NtBhT1iXmevfqbu7

configure the topology as per the diagram
assign the IP addresses as per the topology
configure static and default route
configure tunnel between Site-A-R to Site-B-R
configure EIGRP advertise tunnel interface and LAN network on both sites
configure IPsec and apply on the tunnel interface
make sure data will encrypt

Site-A-router(config)#interface serial 4/0
Site-A-router(config-if)#ip address 1.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit

Site-A-router(config)#interface fastEthernet 0/0
Site-A-router(config-if)#ip address 10.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit

INTERNET(config)#interface serial 4/0

INTERNET(config-if)#ip address 1.1.1.2 255.0.0.0

INTERNET(config-if)#no shutdown

INTERNET(config-if)#exit

INTERNET(config)#interface serial 4/1

INTERNET(config-if)#ip address 3.3.3.1 255.0.0.0

INTERNET(config-if)#no shutdown

INTERNET(config-if)#exit

INTERNET(config)#interface serial 4/2

INTERNET(config-if)#ip address 4.4.4.1 255.0.0.0

INTERNET(config-if)#no shutdown

INTERNET(config-if)#exit

Site-B-router(config)#interface serial 4/1

Site-B-router(config-if)#ip address 3.3.3.2 255.0.0.0

Site-B-router(config-if)#no shutdown

Site-B-router(config-if)#exit

Site-B-router(config)#interface fastEthernet 0/0

Site-B-router(config-if)#ip address 30.1.1.1 255.0.0.0

Site-B-router(config-if)#no shutdown

Site-B-router(config-if)#exit

Site-C-router(config)#interface serial 4/2

Site-C-router(config-if)#ip address 4.4.4.2 255.0.0.0

Site-C-router(config-if)#no shutdown

Site-C-router(config-if)#exit

Site-C-router(config)#interface fastEthernet 0/0

Site-C-router(config-if)#ip address 40.1.1.1 255.0.0.0

Site-C-router(config-if)#no shutdown

Site-C-router(config-if)#exit

Site-A-router(config)#do show ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.1.1.1 YES manual up up

INTERNET(config-if)#do show ip int br

Interface IP-Address OK? Method Status Protocol

Serial4/0 1.1.1.2 YES manual up up

Serial4/1 3.3.3.1 YES manual up up

Serial4/2 4.4.4.1 YES manual up up

Site-B-router#show ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 30.1.1.1 YES manual up up

Serial4/1 3.3.3.2 YES manual up up

Site-C-router#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 40.1.1.1 YES manual up up

Serial4/2 4.4.4.2 YES manual up up

Site-A-router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2

INTERNET(config)#ip route 10.0.0.0 255.0.0.0 1.1.1.1

INTERNET(config)#ip route 30.0.0.0 255.0.0.0 3.3.3.2

Site-B-router(config)#ip route 0.0.0.0 0.0.0.0 3.3.3.1

Site-A-router(config)#do trace 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

1 1.1.1.2 16 msec 48 msec 20 msec

2 3.3.3.2 68 msec 60 msec 64 msec

Site-A-router(config)#interface tunnel 1234

Site-A-router(config-if)#ip address 192.168.123.1 255.255.255.0

Site-A-router(config-if)#ip mtu 1400

Site-A-router(config-if)#ip tcp adjust-mss 1360

Site-A-router(config-if)#tunnel source 1.1.1.1

Site-A-router(config-if)#tunnel destination 3.3.3.2

Site-A-router(config-if)#exit

Site-B-router(config)#interface tunnel 123

Site-B-router(config-if)#ip address 192.168.123.2 255.255.255.0

Site-B-router(config-if)#ip mtu 1400

Site-B-router(config-if)#ip tcp adjust-mss 1360

Site-B-router(config-if)#tunnel source 3.3.3.2

Site-B-router(config-if)#tunnel destination 1.1.1.1

Site-B-router(config-if)#exit

Site-A-router(config)#router eigrp 123

Site-A-router(config-router)#network 192.168.123.0

Site-A-router(config-router)#network 10.0.0.0

Site-A-router(config-router)#no auto-summary

Site-A-router(config-router)#exit

Site-B-router(config)#router eigrp 123

Site-B-router(config-router)#network 192.168.123.0

Site-B-router(config-router)#network 30.0.0.0

Site-B-router(config-router)#no auto-summary

Site-B-router(config-router)#exit

*Jan 11 12:20:47.079: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel1234) is up:new adjacency

*Jan 11 12:20:47.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is up: new adjacency

Site-A-router#show ip eigrp neighbors
IP-EIGRP neighbors for process 123
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.123.2 Tu1234 11 00:01:26 66 1362 0 5

Site-B-router#show ip eigrp neighbors

IP-EIGRP neighbors for process 123

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 192.168.123.1 Tu123 11 00:01:02 67 1362 0 4

Site-B-router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 3.3.3.1 to network 0.0.0.0
C 192.168.123.0/24 is directly connected, Tunnel123
C 3.0.0.0/8 is directly connected, Serial4/1
D 10.0.0.0/8 [90/26882560] via 192.168.123.1, 00:01:11, Tunnel123
C 30.0.0.0/8 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 3.3.3.1

Site-A-router(config)#crypto isakmp policy 123

Site-A-router(config-isakmp)#authentication pre-share

Site-A-router(config-isakmp)#hash sha

Site-A-router(config-isakmp)#group 5

Site-A-router(config-isakmp)#encryption aes

Site-A-router(config-isakmp)#exit

Site-A-router(config)#crypto isakmp key 0 internet address 3.3.3.2

Site-B-router(config)#crypto isakmp policy 123
Site-B-router(config-isakmp)#authentication pre-share
Site-B-router(config-isakmp)#hash sha
Site-B-router(config-isakmp)#group 5
Site-B-router(config-isakmp)#encryption aes
Site-B-router(config-isakmp)#exit

Site-B-router(config)#crypto isakmp key 0 internet address 1.1.1.1

Site-A-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-A-router(cfg-crypto-trans)#mode ?
transport transport (payload encapsulation) mode
tunnel tunnel (datagram encapsulation) mode
Site-A-router(cfg-crypto-trans)#mode tunnel
Site-A-router(cfg-crypto-trans)#exit

Site-B-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-B-router(cfg-crypto-trans)#mode tunnel
Site-B-router(cfg-crypto-trans)#exit

Site-A-router(config)#crypto ipsec profile SVTI

Site-A-router(ipsec-profile)#set transform-set TRANS-SET

Site-A-router(ipsec-profile)#exit

Site-B-router(config)#crypto ipsec profile SVTI

Site-B-router(ipsec-profile)#set transform-set TRANS-SET

Site-B-router(ipsec-profile)#exit

Site-A-router(config)#interface tunnel 1234

Site-A-router(config-if)#tunnel protection ipsec profile SVTI

Site-A-router(config-if)#tunnel mode ipsec ipv4

Site-A-router(config-if)#end

Site-B-router(config)#interface tunnel 123

Site-B-router(config-if)#tunnel protection ipsec profile SVTI

Site-B-router(config-if)#tunnel mode ipsec ipv4

Site-B-router(config-if)#exit

Site-A-router#show ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.1.1.1 YES manual up up

Serial4/0 1.1.1.1 YES manual up up

Tunnel1234 192.168.123.1 YES manual up up

Site-B-router#show ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 30.1.1.1 YES manual up up

Serial4/1 3.3.3.2 YES manual up up

Tunnel123 192.168.123.2 YES manual up up

Site-A-router#show interfaces tunnel 1234

Tunnel1234 is up, line protocol is up

Hardware is Tunnel

Internet address is 192.168.123.1/24

MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 1.1.1.1, destination 3.3.3.2

Tunnel protocol/transport IPSEC/IP

Tunnel TTL 255

Tunnel transport MTU 1438 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "SVTI")

Site-B-router#show interfaces tunnel 123

Tunnel123 is up, line protocol is up

Hardware is Tunnel

Internet address is 192.168.123.2/24

MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 3.3.3.2, destination 1.1.1.1

Tunnel protocol/transport IPSEC/IP

Tunnel TTL 255

Tunnel transport MTU 1438 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "SVTI")

Site-A-router#traceroute 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Tracing the route to 30.1.1.1

1 192.168.123.2 44 msec 68 msec 60 msec

Site-A-router#show crypto ipsec sa

interface: Tunnel1234

Crypto map tag: Tunnel1234-head-0, local addr 1.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 3.3.3.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 30, #pkts encrypt: 30, #pkts digest: 30

#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

Site-B-router#ping 10.1.1.1 repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/62/80 ms

Site-B-router#show crypto ipsec sa

interface: Tunnel123

Crypto map tag: Tunnel123-head-0, local addr 3.3.3.2

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1250, #pkts encrypt: 1250, #pkts digest: 1250

#pkts decaps: 1251, #pkts decrypt: 1251, #pkts verify: 1251

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 3.3.3.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1

current outbound spi: 0x452C1DB(72532443)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x591B0BB3(1494944691)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: SW:3, sibling_flags 80000046, crypto map: Tunnel123-head-0

sa timing: remaining key lifetime (k/sec): (4478462/2938)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x452C1DB(72532443)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: SW:4, sibling_flags 80000046, crypto map: Tunnel123-head-0

sa timing: remaining key lifetime (k/sec): (4478462/2938)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (3.3.3.2/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 3.3.3.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1

current outbound spi: 0xE345F7FE(3813013502)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x9FEF2C28(2683251752)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 5, flow_id: SW:5, sibling_flags 80000046, crypto map: Tunnel123-head-0

sa timing: remaining key lifetime (k/sec): (4533007/2960)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xE345F7FE(3813013502)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 6, flow_id: SW:6, sibling_flags 80000046, crypto map: Tunnel123-head-0

sa timing: remaining key lifetime (k/sec): (4533007/2960)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

MPLS

Pages

Pages

What is SVTI Virtual Tunnel Interface? How to configure IPsec Static virtual tunnel?

No comments:

Post a Comment